summaryrefslogtreecommitdiff
path: root/md/writeup/scan_memory_for_variable.md
blob: f50c2294c2d71623cda695ae3186281f51586c92 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
title:Scan memory for variable
keywords:memory,scan,variable

# Scan memory for variable

Someday ago I was playing one game. And as I not so often playing
games. I would like to change some variables in memory like ammo quantity
or health. May be it is not very interesting to play game with "cheating"
but there is much more interest to play with program.


In such play can help scanmem


Here is example of program that will help us to learn how to use scanmem:

```c
#include <stdio.h>
#include <stdlib.h>
 
unsigned int secret_dw = 1000; //variable to search
unsigned int tmp;//for input variable
 
 
int main()
{
    int i;
    while ( secret_dw != -1 )
    {
        scanf("%u",&tmp);
        printf("secret_dw was %u \n",secret_dw);
        secret_dw = tmp;
        tmp = 0; // This is to prevent from detecting tmp variable position
    }
    printf("\bExit\n");
    return 0;
}
```

here only two variables one secret_dw for value that we will search
and second one tmp to save input. Also tmp will zeroed if not then we will
find tmp and secret_dw.

compile example with

```bash
make
```

and run

```bash
./example
```

And in parallel run
```bash
$ scanmem `pidof example`
scanmem version 0.11
Copyright (C) 2009,2010 Tavis Ormandy, Eli Dupree, WANG Lu
Copyright (C) 2006-2009 Tavis Ormandy
scanmem comes with ABSOLUTELY NO WARRANTY; for details type `show warranty'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show copying' for details.

info: maps file located at /proc/1801/maps opened.
info: 5 suitable regions found.
Please enter current value, or "help" for other commands.

As we searching 4 byte value of uint we defining it by setting up option
0> option scan_data_type int32
```

Now we ready to start our game. At beginning we know our secret_dw value it is 1000 but we will not use it.
Type 1 in example

```text
secret_dw was 1000
```

in scanmem
```text
0> 1
info: 01/05 searching  0x8049000 -  0x804a000...........ok
info: 02/05 searching 0xb763d000 - 0xb763e000...........ok
info: 03/05 searching 0xb7787000 - 0xb778a000...........ok
info: 04/05 searching 0xb77a7000 - 0xb77a9000...........ok
info: 05/05 searching 0xbf9d4000 - 0xbf9f5000...........ok
info: we currently have 58 matches.
```

As we can see 58 matches. WooHoo. Now type '1000'in example
1000

secret_dw was 1

in scanmem

```text
58> 1000
..........info: we currently have 2 matches.
```

only 2 now

scanmem has also many built in commands you can see them when type help.
One of them is 'list'. Use it.
```text
2> list
[ 0]            0x8049680, 1000, [I32 ]
[ 1]           0xbf9f2dd8, 1000, [I32 ]
```

Here is list of matched variables. Number,address,value,size. By address we see that
our variable is with number 0.

```text
2> set 0=999
info: setting *0x8049680 to 0x3e7...
2> list
[ 0]            0x8049680, 1000, [I32 ]
[ 1]           0xbf9f2dd8, 1000, [I32 ]
```

Now our variable is with value 999. When you type list it may be little
bit confusing that values is the same. Go in example
12

secret_dw was 999

Yes. We have changed our variable. Our goal is completed.

Scanmem webpage scanmem[1]

Source contains programm outputs and example code.



## Links
http://taviso.decsystem.org/scanmem.html  

## Downloads
scan_memory.tar.gz -
2KiB - http://archive.main.lv/files/writeup/scan_memory_for_variable/scan_memory.tar.gz